F5 focuses on application security architecture and promotes new security strategies of north-south stratification and east-west precision division

[Original article from 51CTO.com] On February 20, at a security strategy communication meeting held in Beijing by F5, a leading application delivery vendor in China, Zhang Yiqiang, Vice President of F5 Asia Pacific and General Manager of China, together with Wu Jingtao, CTO of F5 China, and Zhou Xinyou, Technical Manager of the Government and Enterprise Customer Department, analyzed the security features of the new environment and interpreted F5's new security strategies and practices.

The Chinese market had a good start in 2019 and will further increase security investment in the future

Zhang Yiqiang first reviewed F5's achievements in China over the past year. He said that F5 continued to maintain steady growth in the Chinese market, with a stable market share and won market recognition, including being shortlisted for the 2018 Fortune Global Most Respected Companies and being rated as a global manager of WAF products by Forrester. In terms of technological innovation and strategic direction, F5 has consistently focused on security, multi-cloud, and intelligence as key strategies, building a big data engine and exploring new practices in AIOps. In addition, Zhang Yiqiang particularly emphasized the expansion of F5's "ecosystem" in China, establishing a close strategic alliance with local manufacturers such as H3C and Boyun, and deepening cooperation with Huawei in cloud strategy, effectively promoting F5's localization strategy.

Listing all the typical security incidents that occurred in 2018, Zhang Yiqiang recalled, "In responding to these security incidents, F5 was like a 'shock wave' that was ordered to help our customers successfully resolve threats. These industries or fields that have not been paid attention to in the past have begun to encounter security threats such as network hazards , which shows that the security situation has undergone new changes, and customers have strong demands for this." He emphasized that the application delivery technology that F5 focuses on is closely related to security. It can even be said that security is F5's innate DNA.

F5 Asia Pacific Vice President and China General Manager Zhang Yiqiang delivered a speech

From a unified protection strategy to a new security strategy of north-south stratification and east-west grayscale precision division

Regarding the new thinking and new architecture of F5's new security strategy, F5 China CTO Wu Jingtao proposed a security strategy of north-south layered protection and east-west grayscale traffic separation in the IPv4/v6 network environment.

Wu Jingtao said that in the new security environment, the conversion between offense and defense has shown minute-level changes. "In the past, the method of identifying danger and normal user access was relatively simple, and the characteristics of the two were also significantly different. At that time, it was only necessary to 'kill' abnormal machine access and allow normal user access to pass. But now, a large number of accesses come from applications. If this is still implemented, it will cause the normal user access to be mistakenly killed." Therefore, Wu Jingtao emphasized that with the large-scale access of mobile devices and applications, the grayscale in the network is becoming more and more complex, and the previous unified security protection strategy will gradually become ineffective.

In the new security strategy, the so-called north-south layered protection, customers usually first perform DDoS cleaning in the network of operators or public clouds, and then perform protection at different levels such as Internet interfaces and applications. At the same time, customer application architectures begin to shift to the structure of API calls, the relationship between applications, and the calls between applications form east-west traffic. Therefore, the so-called east-west grayscale precision is to provide refined security protection for some key businesses and applications in a precise manner.

Wu Jingtao emphasized that the agile and flexible application protection architecture built by F5 can accurately divide the grayscale traffic by user type, release channel, application version, and application type according to the different needs of the hazard mode, showing obvious technical advantages. In addition, from the perspective of the implementation of the security architecture, F5 hopes to use the product + service method in the future to achieve application situation awareness, combining big data collection, machine learning, intelligent baseline, root cause analysis, one-click configuration changes and other actions to achieve minute-level attack and defense conversion and use fine prognosis to optimize the scene.

Multi-cloud multi-active application services and programmable control under DevOps architecture

At the conference, Mr. Zhou Xinyou, customer technology manager of F5's government and enterprise department, also analyzed the technical key of multi-cloud multi-active application services under the DevOps architecture by taking the DDoS hazard protection model as an example. He said that under the multi-cloud multi-active architecture, security exists everywhere from infrastructure to data and applications. In the IPv6 environment, both the magnitude of DDoS hazard and the complexity of protection are very different from before. F5 is in front of the application and provides services for the application. We hope to turn security protection into a service through traffic visualization and the splitting of secure service chains. For different applications, security policies are divided and different service chains are guided.

In addition, in order to cope with the ever-changing applications, programmable control is very necessary for customers. F5 provides a programmable control mode based on a full-agent architecture. Among them, iRules is a default function in the F5 TMOS system, which provides users with programmable multiple hazard protection implementation methods. As a full-agent architecture, customers only need to perform simple operations to deploy new protection strategies in real time, which has an absolute advantage in the actual attack and defense process, and effectively reduces the complexity of operations and security risks.

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]